Safe Links has been included by Microsoft in Office 365 as part of its ATP (Advanced Threat Protection) solution that works by replacing all URLs in an incoming email with Microsoft-owned secure URLs.
Therefore, every time users click on a link provided in an email, Safe Links first sends them to a Microsoft owned domain, where it immediately checks the original link for anything suspicious. If Microsoft's security scanners detect any malicious element, it then warns the users about it, and if not, it redirects them to the original link.
However, researchers at the cloud security company Avanan have revealed how attackers have been bypassing both Office 365's URL reputation check and Safe Links URL protection features by using Zero-Width SPaces (ZWSPs).
Supported by all modern web browsers, zero-width spaces (listed below) are non-printing Unicode characters that typically used to enable line wrapping in long words, and most applications treat them as regular space, even though it is not visible to the eye.
Zero-Width Space Phishing Attack Demonstration
According to the researchers, attackers are simply inserting multiple zero-width spaces within the malicious URL mentioned in their phishing emails, breaking the URL pattern in a way that Microsoft does not recognize it as a link.
"Microsoft email processing did not recognize this URL as a legitimate URL, and neither applied URL reputation checking nor converted it with Safe Links for post-click checking," the researchers say in a blog post published Wednesday.
"The email was delivered to the intended recipient; but in their inbox, users did not see the ZWSPs in the URL."
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
However, when the end-users clicked on the link in the email, they were landed to a credential harvesting phishing website.
Researchers also provided a video demonstration showing what happened when they sent a malicious URL to an Office 365 inbox without any ZWSP characters inserted in the URL and with ZWSP characters inserted into the URL.
The Z-WASP attack is another chain in a list of exploits, including the baseStriker and ZeroFont attacks, that are designed to obfuscate malicious content and confuse Microsoft Office 365 security.
The security firm discovered the Z-WASP attack on more than 90 percent of Avanan's Office 365 customers and reported the issue to Microsoft on November 10th last year after confirming its nature.
Avanan then worked with the Microsoft security team continuously on assessing the scope of the vulnerability, which was then addressed on January 9th.